Winco Fireworks FireFly Bluetooth Low Energy Improper Access Control Vulnerability

Summary

An exploitable improper access control vulnerability exists in the bluetooth low energy functionality of Winco Fireworks FireFly FW-1007 V2.0. An attacker can connect to the device to trigger this vulnerability.

Tested Versions

Winco Fireworks FireFly FW-1007 V2.0

Product URLs

<https://shootfirefly.com/&gt;

CVSSv3 Score

6.5 - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-284: Improper Access Control

Details

The Winco Fireworks FireFly is an automated fireworks launcher designed to be used remotely utilizing bluetooth low energy. The launcher is designed to be utilized to not only fire single fireworks safely, but to coordinate larger fireworks shows of up to 15 different fireworks that can be staged to music. The majority of this coordination occurs on the FireFly phone application.

The vulnerability is present within the firmware of the FireFly device itself. The device does not require or utilize any form of authentication of the device that is connecting with it. The device will accept any, single, bluetooth low energy connection at a time and execute commands received. By connecting to the device and sending the following command you can launch any fireworks bay without any type of authentication required.

0xAA 06 77 00 00 00 04 |bay number|

This vulnerability exposes a physical safety issue where the operator can not trust that the device is disconnected from all users while they are working on the fireworks. A unique bluetooth low energy PIN should be used to properly enforce a pre-shared key prior to exposing the FireFly to a potentially malicious environment.

Credit

Discovered by Carl Hurd of Cisco Talos.

Timeline

2019-01-23 - Initial Contact
2019-01-24 - Vendor Disclosure; Vendor acknowledged reports
2019-02-19 - 1st follow up (near 30 day); no response
2019-03-28 - 2nd follow up (60 day); no response
2019-04-10 - Notice of 90 day mark approaching
2019-05-08 - Public Release